[midPoint] midPoint behind load balancer with SSL
Solberg, Eric
eric at solberg.com
Thu Oct 18 02:47:05 CEST 2018
I’m setting up midpoint on Google Cloud Platform, where it will serve as my IDP for internal users (which right now is me, myself and I) and external users (which right now is my wife and my dog).
I’ll have various other admin and devops apps running in this environment. Of course, I don’t want these publicly accessible.
One approach is to implement a VPN into the cloud. But Google is recommending a different approach. The approach is to use an “identity aware” load balancer / proxy. None of the internal apps will have public IP addresses, and the proxy will only let authenticated users through. I can then set up auth schemes appropriately, leveraging Google infrastructure at least for the internal users.
The load balancer only accepts SSL:443 connections on the public facing IP address https://internal.mydomain.com. After authenticating, the request is forwarded to the internal midpoint server on http://midpoint-internalip:8080
I’ve got this set up and working, but every time I load a page, or click a link it redirects to http, which the Google load balancer responds rudely with a 404. Note that if I edit the URL after every page load and manually add https, the correct page comes up. It just keeps reverting to http.
I can’t rule out the possibility that there’s something going on with cached pages or DNS, but I think these are links or redirects coming from midpoint.
I’ve found a few discussions on the net talking about configuring Tomcat to work with forwarded requests:
https://serverfault.com/questions/181177/rewriting-302-app-server-redirect-urls-with-apache-proxy-in-the-middle
https://serverfault.com/questions/388927/apache-reverseproxypass-redrects-to-http-rather-than-https
The recommendation is to use a valve in the Tomcat server.xml that handles the x-forwarded-protocol header:
<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-protocol" />
Looking at the midpoint.war file, though, I don’t see a server.xml. I’ve been out of the Java loop for a while, but is the application.yml file taking the place of server.xml? Is there a way to configure this valve in that file?
Thanks for any advice.
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181017/5e4a40c7/attachment.htm>
More information about the midPoint
mailing list